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Abstract 

It  is  claimed  in  Phys.  Lett.  A  by  T.  Nishioka  et  al.  [327  (2004)  28-32]  that  the 
security  of  Y-00  is  equivalent  to  that  of  a  classical  stream  cipher.  In  this  paper  it  is 
shown  that  the  claim  is  false  in  either  the  use  of  Y-00  for  direct  encryption  or  key 
generation,  in  all  the  parameter  ranges  it  is  supposed  to  operate  including  those  of 
the  experiments  reported  thus  far.  The  security  of  Y-00  type  protocols  is  clarified. 
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A  new  approach  to  quantum  cryptog¬ 
raphy  called  KCQ,  (keyed  communi¬ 
cation  in  quantum  noise),  has  been 
developed  [1]  on  the  basis  of  a  differ¬ 
ent  advantage  creation  principle  from 
that  in  either  uncorrelated-classical- 
noise  key  generation  [2]  or  the  well 
known  BB84  quantum  protocol  [3]. 
A  special  case  called  arj  (or  Y-00  in 
Japan)  has  been  experimentally  in¬ 
vestigated  and  developed  to  a  consid¬ 
erable  extent  [4, 5, 6, 7, 8]  for  direct  en¬ 
cryption.  In  Ref.  [9],  the  claim  is  made 
that  Y-00  is  equivalent  to  a  classi¬ 
cal  stream  cipher,  in  particular  that 
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the  quantum  noise  is  negligible,  and 
thus  also  cannot  be  used  for  key  gen¬ 
eration.  This  claim  is  justified  by  an 
”  attack”  that  reduces  the  security  of 
Y-00  to  that  of  a  standard  stream  ci¬ 
pher  for  the  purpose  of  obtaining  the 
data  bits  from  observing  the  output 
of  Y-00.  In  this  paper,  we  will  show 
that  this  claim  is  patently  false. 

The  main  explicit  claim  in  [9]  is  that 
their  classical  stream  cipher,  “Case 
2” ,  has  the  same  security  as  Y-00,  and 
so  can  be  employed  instead.  We  will 
refute  this  claim  in  connection  with 
both  data  and  key  security  (the  latter 
is  not  even  considered  in  [9])  ,  in  di¬ 
rect  encryption  as  well  as  in  key  gen¬ 
eration,  and  also  show  that  their  “at- 
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tack”  is  an  ineffective  one  on  Y-00. 

One  basic  error  in  [9]  is  the  assump¬ 
tion  that  Y-00  with  the  parameters 
reported  in  [4, 5, 6, 7, 8]  is  reducible 
to  their  “Case  1”  cipher  for  which 
Eq.  (10)  of  [9]  is  valid  without  er¬ 
ror.  Such  error  of  course  decreases 
with  increasing  coherent-state  en¬ 
ergy,  but  it  is  trivial  to  claim  that 
a  coherent-state  system  is  classical 
when  the  energy  in  the  system  is 
large  enough  as  compared  to  all  the 
parameters  of  the  operating  scheme. 
We  have  always  qualified  our  own 
claim  by  saying  that  the  coherent- 
state  energy  is  “mesoscopic” .  In  the 
case  of  direct  encryption  parameters 
reported  experimentally  [4, 5, 6, 7, 8], 
the  reduction  of  Ref.  [9]  results  in  a 
classical  stream  cipher  in  quantum 
noise  with  an  error  rate  of  ~1%  ,  and 
has  already  been  analyzed  in  detail 
by  the  Hirota  group  [10].  Further¬ 
more,  even  when  the  coherent-state 
quantum  noise  of  Y-00  can  in  princi¬ 
ple  be  replaced  by  classical  random¬ 
ization,  such  randomization  makes 
Y-00  a  random  cipher.  It  is  known 
that  a  random  cipher  may  have  bet¬ 
ter  secret-key  security  compared  to 
a  classical  stream  cipher,  such  as 
“Case  2”  of  [9] ,  which  is  nonrandom. 

Another  error  made  in  [9]  may  arise 
from  the  incorrect  claim  made  in  [12], 
This  involves  Fig.  4  of  [9]  and  the  dis¬ 
cussion  around  it  pertaining  to  the 
use  of  Y-00  for  key  generation,  with 
the  key  being  used  subsequently  in  a 
classical  cipher.  The  protocol  of  Fig. 
4  is  seriously  incomplete  for  key  gen¬ 
eration  and  is  not  one  we  intended  or 
claimed  to  use.  Before  further  elabo¬ 
ration  on  these  errors  in  [9],  we  first 


briefly  review  the  Y-00  scheme  and 
remove  a  very  common  misconcep¬ 
tion  about  direct  encryption  versus 
key  generation. 

Consider  the  original  experimental 
scheme  Y-00  as  described  in  Ref.  [4] 
and  depicted  in  Fig.  1.  Alice  encodes 
each  data  bit  into  a  coherent  state 
in  a  qumode,  an  infinite-dimensional 
Hilbert  space,  of  the  form  [11] 

Wi)  —  |a!o(cos^  +  isin^))  (1) 

where  ao  is  real,  6i  =  27 r£/M,  and 
t  G  {0,  ...,m  —  1}.  The  M  states 
are  divided  into  M/2  basis  pairs 
of  antipodal  signals  {|  ±  c^)}  with 
— ai  =  a?+M/ 2-  A  seed  key  K  of  bit 
length  |  A' |  is  used  to  drive  a  conven¬ 
tional  encryption  mechanism  whose 
output  is  a  much  longer  running 
key  K'  that  is  used  to  determine, 
for  each  qumode  carrying  the  bit 
b{=  0, 1},  which  pair  {|  ±  c^)}  is  to 
be  used.  Bob  utilizes  a  quantum  re¬ 
ceiver  to  decide  on  b  knowing  which 
particular  pair  { |  ±  a?) }  is  to  be  dis¬ 
criminated.  On  the  other  hand,  Eve 
needs  to  pick  a  quantum  measure¬ 
ment  for  her  attack  in  the  absence 
of  the  basis  knowledge  provided  by 
the  seed  or  running  key.  The  differ¬ 
ence  in  the  resulting  receiver  perfor¬ 
mance  is  a  quantum  effect  with  no 
classical  analog,  and  constitutes  the 
ground  for  possible  advantage  cre¬ 
ation  in  the  scheme.  Note  that  since 
the  quantum- measurement  noise  is 
irreducible,  such  advantage  creation 
can  result  in  an  unconditionally  se¬ 
cure  key  generation  protocol.  In  con¬ 
trast,  in  a  classical  situation  includ¬ 
ing  noise,  the  simultaneous  measure- 
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Fig.  1.  Left:  Overall  schematic  of  the  Y- 
with  interleaved  logical  state  mappings. 

ment  of  the  amplitude  and  phase  of 
the  signal,  as  realized  optically  by 
heterodyning,  provides  the  general 
optimal  measurement  for  both  Bob 
and  Eve;  thus  preventing  any  ad¬ 
vantage  creation  under  our  approach 
that  grants  Eve  a  copy  of  the  state 
for  the  purpose  of  bounding  her  in¬ 
formation. 

One  needs  to  first  distinguish  the  use 
of  such  a  scheme  for  key  generation 
versus  data  encryption.  It  may  first 
appear  that  if  the  system  is  secure 
for  data  encryption,  it  would  also  be 
secure  for  key  generation  if  the  data 
are  subsequently  used  as  keys.  This 
is  indeed  the  view  taken  in  Ref.  [9] 
and  Ref.  [12].  It  is  unfortunate  that 
the  author  of  Ref.  [12],  a  co-author  of 
Refs.  [4,5],  made  this  conclusion  that 
the  direct  encryption  experiments  in 
[4,5]  would  already  allow  key  genera¬ 
tion  inspite  of  our  objections.  In  fact, 
for  the  direct  encryption  experiments 
in  Refs.  [4, 5, 6, 7, 8],  we  have  only 
claimed  complexity-based,  security 
against  general  attacks,  with  “un¬ 
conditional  security”  only  against  a 
very  limited  class  of  “individual  at¬ 
tacks.”  The  situation  may  be  delin¬ 


scheme.  Right:  Depiction  of  M/2  bases 

eated  as  follows.  Let  Xn,  Y®,  Yff  be 
the  classical  random  vectors  describ¬ 
ing  the  bit  data  of  length  n,  Eve’s 
observation,  and  Bob’s  observation. 
Eve  may  make  any  quantum  mea¬ 
surement  on  her  copy  of  the  quantum 
signal  to  obtain  Yjf  in  her  attack.  In 
the  case  of  a  standard  classical  ci¬ 
pher,  YnR  =  Y[B  =  Yn,  the  following 
Shannon  limit  [13]  applies 

H{Xn\Yn)  <  H{K )  (2) 

and  so  there  can  be  no  fresh  key 
generation.  This  is  because  all  the 
uncertainty  in  Xn  is  derived  from  K , 
however  long  n  is.  While  H(Xn\Yff) 
describes  the  level  of  information- 
theoretic  security  of  the  data  Xn 
against  ciphertext-only  attacks, 
H(K\Yff)  describes  the  information- 
theoretic  security  of  the  key  against 
ciphertext-only  attacks  with  known 
a  priori  probability  p(Xn),  thus  in¬ 
cluding  known  and  chosen  plaintext 
attacks  in  the  case  of  degenerate 
p(Xn).  See  Ref.  [14]  and  [1]  for  fur¬ 
ther  discussion.  In  standard  cryptog¬ 
raphy,  one  typically  does  not  worry 
about  ciphertext-only  attack  on  com- 
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pletely  random  data,  where  Eq.  (2) 
is  usually  satisfied  with  equality  En¬ 
large  n  for  the  designed  key  length 
\K\  =  H(K).  Rather,  it  is  attacks 
on  the  key  with  known  nonuniform 
p(Xn),  using  information  on  K  so 
obtained  on  future  data,  that  is  the 
focus  of  concern,  as  in  the  Advanced 
Encryption  Standard  (AES). 

The  reduction  of  Y-00  to  the  classi¬ 
cal  stream  cipher  of  ref  [9]  consists  in 
collapsing  any  observation  to  a  sin¬ 
gle  bit  It,  with  the  claim  that,  as  de¬ 
scribed  in  Eq.  (9)-(ll)  of  [9], 

k  =  Xi  ®  hi  (3) 

where  Xi  is  the  data  bit  [15]  at  the 
ith  position  of  the  data  sequence, 
and  hi  is  a  fixed  function  of  the  run¬ 
ning  key  that  determines  the  basis 
used  for  that  position.  Each  l,  is  0  or 
1  according  to  whether  Eve’s  obser¬ 
vation  on  the  ith  qumode  lies  on  the 
upper  or  lower  half-circle  with  re¬ 
spect  to  the  “horizontal”  basis  given 
by  the  all  zero  running  key.  However, 
Eq.  (3)  is  not  always  true  due  to  the 
quantum  noise  in  Eve’s  measurement 
which  sometimes  pushes  the  mea¬ 
sured  result  to  the  wrong  side  of  the 
horizontal  line.  From  the  intrinsic 
coherent-state  angular  uncertainty 
with  a  phase  standard  deviation  of 
1/ao,  an  estimate  of  the  bit  error  rate 

Jf  ~  2/(ira0)  (4) 

is  simply  obtained  if  one  assumes 
that  the  measured  state  is  uniformly 
distributed  within  a  standard  devi¬ 
ation  only.  In  deriving  Eq.  (4)  we 
have  also  used  the  fact  that  the 


(M/2)  bases  are  selected  with  uni¬ 
form  marginal  probability  for  each 
qumode,  which  is  a  consequence  of 
using,  e.g.,  a  LFSR  for  the  ENC 
box  of  Fig.  1  with  seed  key  length 
\K\  >  log2(M/ 2).  This  PbE  is  in 
rough  agreement  with  the  numer¬ 
ical  calculations  of  ref  [10],  which 
includes  the  optimal  quantum  re¬ 
ceiver  performance  result  for  this 
“attack”  via  the  optimal  binary  de¬ 
cision  measurement.  The  resulting 
1%  error  means  that  for  the  pur¬ 
pose  of  attacking  the  data  Xn,  the 
reduction  is  equivalent  to  a  classical 
stream  cipher  with  unknown  K  re¬ 
ceived  in  noise  that  causes  1%  error 
in  the  output  ciphertext.  Thus,  Y-00 
is  not  equivalent  to  a  classical  stream 
cipher,  but  rather  to  one  in  signifi¬ 
cant  noise  even  in  the  experimental 
regime  reported  thus  far.  Indeed,  not 
only  do  such  errors  invalidate  the 
Shannon  limit  Eq.  (2)  for  a  standard 
stream  cipher,  they  also  create  ad¬ 
vantage  for  the  users  and  allow  key 
generation  in  the  usual  fashion  [2], 
To  see  that  the  error  rate  of  1%  is 
significant,  note  that  it  allows  a  sub¬ 
stantial  key  generation  rate  of  10 
Mbps  for  a  raw  bit  rate  of  1  Gbps, 
using  privacy  amplification  [16] .  The 
authors  of  [9]  mistakenly  omit  the 
privacy  amplification  step  required 
for  key  generation  in  their  Fig.  4. 

On  the  other  hand,  a  stronger  attack 
may  be  launched  on  Y-00  by  mak¬ 
ing  a  heterodyne  measurement  which 
retains  all  the  log2M  bits  of  output 
for  each  qumode.  Under  such  an  at¬ 
tack,  the  cipher  becomes  a  classical 
random  cipher  in  principle,  satisfying 
Eq.  (2)  with  the  experimental  param¬ 
eters  of  [4],  This  is  because  the  ex- 
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periments  on  the  original  Y-00  have 
parameters  that  satisfy 

H(Xn\Y*,K)~Q  (5) 

when  the  heterodyne  measurement 
is  made  on  each  qumode  by  Eve. 
Under  Eq.  (5),  Eq.  (2)  also  obtains 
and  the  data  security  is  no  better 
than  \K\  as  in  all  standard  sym¬ 
metric  key  ciphers.  Furthermore,  in 
this  regime,  and  under  the  hetero¬ 
dyne  attack  which  is  more  powerful 
than  that  of  [9],  key  generation  with 
information-theoretic  security  is  im¬ 
possible  in  principle,  a  point  missed 
in  ref  [12]  and  in  all  the  criticisms 
of  Y-00  including  ref  [9]  and  ref  [17], 
but  was  explicitly  stated  in  the  Erst 
version  of  ref  [1],  This  point  is  at 
least  implicit  in  ref  [4]  where  we  said 
the  experiment  has  to  be  modified 
for  key  generation.  One  simple  way 
to  break  the  Shannon  limit  Eq.  (2) 
while  protecting  the  key  at  the  same 
time  is  to  randomize  (unkeyed)  the 
state  transmitted  to  cover  the  half¬ 
circle  defined  by  the  basis  chosen  by 
the  running  key,  which  we  call  DSR 
in  [1],  Indeed,  the  resulting  noise  be¬ 
havior  for  Eve  is  similar  to  the  1% 
error  neglected  in  ref  [9],  and  is  also 
the  basis  of  advantage  creation  for 
key  generation.  Clearly,  there  is  no 
room  to  go  into  any  detail  on  such 
variations  and  extensions  of  Y-00  in 
this  paper. 

Nevertheless,  it  is  important  to  note 
that  heterodyning  by  Eve  does  not 
reduce  Y-00  to  a  classical  stream  ci¬ 
pher  even  under  Eq.  (5).  Rather,  it 
reduces  it  to  a  random  cipher ,  i.e., 
a  cipher  with  randomized  encryption 


[18]  so  that 

H (Yn\Xn,  K)  ^  0,  (6) 

which  can  be  accomplished  classi¬ 
cally  in  principle,  but  not  in  current 
practice.  This  is  because  true  ran¬ 
dom  numbers  can  only  be  generated 
physically,  not  by  an  algorithm,  and 
the  practical  rate  for  such  genera¬ 
tion  is  five  to  six  orders  of  magnitude 
below  the  ~  Gbps  rate  in  our  ex¬ 
periments  where  the  coherent-state 
quantum  noise  does  the  randomiza¬ 
tion  automatically.  Furthermore,  our 
physical  “analog”  scheme  does  not 
sacrifice  bandwidth  or  data  rate  com¬ 
pared  to  other  known  randomization 
techniques.  There  is  an  unexplored 
avenue  with  respect  to  a  random  ci¬ 
pher  in  that  there  is  no  proof  that 
the  key  is  not  information-theoretic 
secure,  i.e.,  that  K  can  be  pinned 
down  by  a  long  Yn  via  the  unicity 
distance  with  known  p(Xn)  as  in  a 
non-randomized  cipher  [13,18,19], 
whether  p(Xn)  is  degenerate  or  not. 
Indeed,  it  is  known  [20]  that  a  spe¬ 
cific  kind  of  randomized  encryption 
can  defeat  any  attack  on  the  key 
when  the  source  generates  indepen¬ 
dent  data  bits  with  p( X  =  0)  7^  1/2. 
Since  the  coherent-state  quantum 
noise  makes  efficient  high-rate  ran¬ 
domized  encryption  possible  in  prac¬ 
tice  in  Y-00,  it  is  indeed  a  quantum 
cipher  in  the  important  sense  that  an 
essential  feature  of  the  cipher  arises 
from  quantum  noise. 

In  this  connection,  we  address  the 
attacks  described  by  Lo  and  Ko  [17], 
which  can  be  launched  either  when  a 
long  sequence  of  plaintext  is  known 
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or  when  the  plaintext  statistics  are 
nonuniform.  Therefore,  they  are  not 
directly  applicable  to  Y-00  used  for 
key  generation.  These  attacks  can 
however  be  launched  on  a  classi¬ 
cal  cipher  that  uses  the  generated 
key,  and  the  authors  of  [17]  give  an 
argument  that  reduces  such  an  at¬ 
tack  to  a  similar  one  directly  on  the 
data  sent  in  the  key  generation  step. 
However,  this  reduction  is  incorrect 
becuase,  as  in  [9],  the  privacy  am¬ 
plification  step  in  the  key  generation 
stage  is  omitted.  Furthermore,  their 
attacks  are  impractical  in  that  they 
require  exponential  loss  or  exponen¬ 
tially  long  input  n— sequences  [21] 
and  exponential  search.  They  also 
miss  the  distinction  between  ran¬ 
dom  and  non-random  ciphers  with 
regard  to  attacks  on  the  key.  Also, 
the  Grover  search  attack  desribed  in 
[17]  is  claimed  to  break  Y-00  because 
in  the  asymptotic  n  — >  oo  limit, 
the  output  states  corresponding  to 
different  seed  key  values  become  or¬ 
thogonal.  In  addition  to  the  subtle 
problem  of  orthogonality  in  a  non- 
separable  Hilbert  space,  it  makes 
little  cryptographic  sense,  even  for  a 
non-random  cipher,  to  just  look  at 
the  asymptotic  n  — >  oo  limit.  Indeed, 
Shannon  calls  a  system  that  is  bro¬ 
ken  only  at  n  — >  oo  “ideal”  [13,18]. 

The  claimed  “Case  2”  non-random- 
cipher  reduction  of  Y-00  in  [9]  has 
weaker  security  against  attacks  on 
the  key  compared  to  Y-00  due  to  the 
1%  error  that  exists  in  the  attack  of 
[9]  on  Y-00.  This  error  induces  ran¬ 
dom  errors  on  the  actual  bases  or 
running  key  estimate,  and  may  allow 
some  information-theoretic  security 
on  K .  Indeed,  even  under  a  general 


attack,  the  logical  possibility  is  open 
that  Y-00  is  information-theoretic 
secure  or  at  least  Shannon  “ideal”. 
Even  if  such  turns  out  not  to  be  the 
case,  the  “Case  2”  cipher  still  has  less 
key  security  against  known-plaintext 
attacks  than  Y-00  for  the  following 
reason.  Any  given  classical  nonran¬ 
dom  cipher  can  be  used  as  the  ENC 
box  in  Y-00  which  then  provides  an 
added  layer  of  protection  through 
the  coherent-state  modulation.  Even 
under  the  heterodyne  attack  that 
utilizes  the  full  state  observation, 
one  obtains  the  following  brute-force 
key-search  complexity  corresponding 
to  the  number  of  possible  running 
key  sequences  for  large  n, 

C  ~  (  XM  )\K\/ loga(ff)  (7) 

where  A  =  2  for  ciphertext-only  at- 
tack(i.e.  random  data)  and  A  =  1  for 
known-plaintext  attacks.  The  esti¬ 
mate  Eq.  (7)  is  obtained  by  count¬ 
ing  only  the  possible  states  within 
one  standard  deviation  of  the  phase, 
which  is  actually  an  underestimate 
for  large  n.  With  our  experimental 
parameters  of  M  ~  4  x  103,  a 0  ~ 
2  x  102,  \K\  ~  4.4  x  103  [8],  one  has 
C  >  2480  for  A  =  1,  well  beyond 
any  conceivable  classical  or  quan¬ 
tum  search  capability.  Note  that  the 
Grover’s  search  described  in  [17]  suf¬ 
fers  from  a  similar  exponential  lim¬ 
itation.  This  search  is  needed  to  at¬ 
tack  the  ENC  box  seed  key  from  its 
output,  which  is  absent  for  a  nonran¬ 
dom  classical  stream  cipher  where 
the  ENC  output  is  uniquely  specified 
in  a  known-plaintext  attack.  One 
may  match  the  ENC  cipher  rate  to 
the  data  rate  in  Y-00  by  using  a  to- 
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tal  of  lo(]2^-  different  deterministic 
functions  ft  to  operate  on  a  given 


to  provide  the  bases  for  log2 4jr  data 
bits.  Although  this  would  lower  the 
estimate  Eq.  (7)  in  general,  under 
a  known-plaintext  attack  a  search 
complexity  remains  for  pinning  down 
the  possible  outputs  of  the  ENC  box 
whereas  the  output  of  the  ENC  box 
is  uniquely  specified  for  the  “Case 
2”  cipher.  Note,  however,  that  for 
ciphertext-only  attacks  on  K  (i.e. 
those  for  which  the  plaintext  is  ran¬ 
dom),  a  classical  stream  cipher  can 
provide  information-theoretic  secu¬ 
rity. 

We  briefly  describe  the  possibility 
of  key  generation  with  the  origi¬ 
nal  Y-00  of  Fig.l.  The  condition 
for  information-theoretically  secure 
fresh  key  generation  is,  in  general 

H(Xn\Yr [f ,  K)  >  H(Xn\Y* ,  K).  (8) 

In  Eq.  (8),  Yff  is  obtained  from  a 
quantum  measurement  without  the 
knowledge  of  K.  It  is  then  used  to¬ 
gether  with  any  value  of  K  to  esti¬ 
mate  the  data  Xn.  This  necessary 
condition  has  to  be  supplemented 
with  one  on  the  key  K  security  for 
defense  against  adaptive  measure¬ 
ments,  as  discussed  in  [1],  to  make  it 
sufficient  also.  This  would  require  the 
extension  of  Y-00  in  different  possi¬ 
ble  ways,  such  as  DSR  and  CPPM 
described  in  [1],  However,  against  in¬ 
dividual  attacks  with  a  fixed  qumode 
measurement,  Eq.  (8)  is  sufficient 
and  can  be  readily  seen  to  hold  as 
follows.  With  S  =  ao  \ 2  being  the 
average  photon  number  in  the  states 


(1),  the  bit-error  rate  for  Bob  with 
the  optimum  quantum  receiver  [22]  is 

a  =  \e~‘S-  (9) 

The  bit-error  rate  for  heterodyning, 
considered  as  a  possible  attack,  is  the 
well  known  Gaussian  result 

nh“  ~  je-s,  (10) 

and  that  for  the  optimum-phase  mea¬ 
surement  tailored  to  the  states  in  (1) 

is 

Pt  ~  Ie-2S  (11) 

over  a  wide  range  of  S.  The  difference 
between  Eq.  (9)  and  Eq.  (11)  allows 
key  generation  at  any  value  of  S  if  n  is 
long  enough.  With  a  mesoscopic  sig¬ 
nal  level  S  ~  7,  one  has  P&  ~  10-12, 
Pbhet  ~  1CT3,  Pfh  ~  1CT6.  For  rea¬ 
sonable  n,  this  contradicts  the  claim 
in  [9]  that  quantum  effects  are  neg¬ 
ligible  until  S  <  1  +  l/y/2,  as  fol¬ 
lows.  If  the  data  arrives  at  a  rate 
of  1  Gbps,  Bob  is  likely  to  have  109 
error-free  bits  in  1  second,  while  Eve 
would  have  rsj  106  or  rsj  103  errors 
in  her  109  bits  with  heterodyne  or 
the  optimum-phase  measurement 
(which  has  no  known  experimental 
realization).  With  the  usual  privacy 
amplification,  the  users  can  then 
generate  ~  106  or  ~  103  bits  in  the  1 
second  interval  by  eliminating  Eve’s 
information.  While  these  parameter 
values  are  not  particularly  remark¬ 
able  and  have  not  been  experimen¬ 
tally  demonstrated,  they  compare 
favorably  with  coherent-state  BB84 
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schemes  where  S'  ~  0.1  and  a  seri¬ 
ous  beam-splitting  attack  for  3  dB 
loss  also  obtains  that  wipes  out  the 
quantum  advantage  (though  not  the 
post-detection  selection  advantage) 
Bob  has  even  with  intrusion- level 
detection.  More  significantly,  Y-00 
illustrates  the  new  KCQ  principle  of 
quantum  key  generation  introduced 
in  [1],  that  creates  advantage  via  the 
difference  between  optimal  quantum 
receiver  performance  with  versus 
without  knowledge  of  a  secret  key, 
which  is  more  powerful  than  previous 
principles  that  rely  on  intrusion- level 
detection. 

In  conclusion,  the  reduction  of  Y-00 
to  a  classical  stream  cipher  claimed  in 
[9]  is  incorrect  for  data  bit  encryption 
because  it  still  suffers  from  coherent- 
state  quantum  noise  for  typical  op¬ 
erating  parameters.  It  weakens  both 
the  data  and  key  security,  possibly 
information-theoretically  and  cer¬ 
tainly  complexity-wise.  It  is  also  in¬ 
applicable  to  fresh  key  generation 
because  it  does  not  recognize  the 
seed  key  influence  on  the  optimal 
quantum  receiver  performance  and 
because  it  ignores  privacy  amplifica¬ 
tion.  The  principle  underlying  Y-00 
can  be  used  in  conjunction  with  ad¬ 
ditional  techniques  to  obtain  much 
more  powerful  advantage  creation 
for  key  generation,  as  well  as  near 
perfect  information-theoretic  secu¬ 
rity  for  the  data  and  the  key  in  direct 
encryption  against  known-plaintext 
attacks.  The  detailed  development 
has  begun  in  [1]  and  will  be  presented 
elsewhere. 
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